If account is hacked, change password

Anyone who has received a message from a friend’s Facebook account urging him to click a link or “like” a page to “Win a Free iPad” or “Get a Free Starbucks Gift Card” knows that social media sites are prime targets for spam and data mining. What do you do if it’s your account that’s doing the spamming?

As soon as you discover that your account has been compromised, report it to Facebook at www.facebook.com/hacked. Enter your password and follow the instructions to reinstate the account in your name. You’ll need to identify yourself, either through your email address, phone number, Facebook user name or your name and the name of one or more of your friends.

Once you’re back in control, reset your Facebook password. Click on the little gear-shaped icon in the top right-hand corner, then choose “Account Settings.” Facebook recommends that you change your password regularly (aim for every few months) to stay secure.

Choose a robust password of seven to 10 digits, mixing numerals, symbols, uppercase and lowercase letters. Be sure to change passwords on any other accounts, such as email or Twitter, that may have been compromised. It’s particularly risky to use the same password across multiple accounts. If your Facebook password is compromised, the hacker can take control of your linked email account if you use the same password for both. This would let the hacker find other logins tied to that email, submit “Forgot My Password” reset requests and gain access to other accounts such as banking and shopping.

Consider using a password management service such as LastPass (www.lastpass.com, free for basic), which will create unique passwords for all your accounts and control your logins so you never have to type your username or password into a site again.

Now you need to determine how your account was compromised and plug any security holes. The most likely culprit is

a rogue app that you installed, possibly without realizing you were doing so. For example, if you click a link to “Win a free iPad” posted (probably unwittingly) to your friend’s wall, you’ll be prompted to install an app or provide personal information to “register for the contest.” Every time you approve a Facebook app, you give it permissions. This can range from access to your friends list, the ability to post to your wall, even personal information tied to your account (like your email account, linked cellphone number, etc.).

To review your installed apps, click the little gear icon again and choose “Privacy Settings.” Do a quick scan to make sure your privacy settings haven’t been changed to “Public.” Then click on “Apps” in the menu bar at the left of your screen.

Remove apps that you don’t recognize or no longer use by clicking on the “X” to the right of the app name. For those you choose to keep, click on the name of the app to review what information the app can access and choose who sees its posts and/or notifications. Change any visibility settings from a “Public” setting to “Friends” or “Only Me.”

Next, notify your friends that your account was compromised. Let them know they shouldn’t trust anything posted by your account or messages sent within the period that the account was out of your control. Avoid clicking links posted by your account. If you find an app you suspect was the culprit, let friends know to check their installed apps and remove the offender.